robertbearclaw.com

Deploying Microsoft Sentinel Scheduled Analytics Rule with Bicep

Written on

Chapter 1: Introduction to Microsoft Sentinel and Bicep

This guide is designed to assist you in implementing Microsoft Sentinel within your system, particularly focusing on a scheduled analytics rule that detects matches across various data feeds for IP Indicators of Compromise (IOCs) associated with the IRIDIUM activity group. We will utilize Infrastructure-as-Code (IaC) through Azure Bicep.

Azure Bicep serves as a domain-specific language (DSL) that employs a declarative syntax for deploying Azure resources. Essentially, Bicep simplifies the process of creating Azure Resource Manager (ARM) templates, allowing you to define Azure resources in a more accessible manner. According to Microsoft Docs:

Once you've linked your data sources to Microsoft Sentinel, you can create tailored analytics rules to identify threats and unusual activities in your environment. These analytics rules monitor specific events or groups of events, notifying you when particular thresholds or conditions are met, generating incidents for your Security Operations Center (SOC) to analyze and respond to threats with automated tracking and remediation processes.

Prerequisites

  1. An active Azure account (you can sign up for free).
  2. Azure Bicep installed on your local machine.
  3. Azure PowerShell installed. Refer to: Install Azure PowerShell.
  4. A resource group within your Azure subscription.

Let's dive in!

Chapter 2: Overview of the Solution

We will create a Bicep template to set up a Microsoft Sentinel instance in your environment, along with a scheduled analytics rule that detects matches across different data feeds for IP IOCs linked to the IRIDIUM activity group.

The solution will consist of the following files:

  • ๐Ÿ“„ main.bicep: The Bicep template.
  • ๐Ÿ“„ azuredeploy.parameters.json: The parameter file containing values for deploying your Bicep template.

Section 2.1: Azure Bicep Template โ€” Parameters

Begin by creating a new file in your working directory called main.bicep. In this file, we will define the necessary parameters:

@description('Unique name for the scheduled alert rule.')

param ruleName string

param location string = resourceGroup().location

param sentinelName string

@minValue(30)

@maxValue(730)

param retentionInDays int = 90

Section 2.2: Azure Bicep Template โ€” Variables

Next, we will declare the following variables:

var workspaceName = '${location}-${sentinelName}-${uniqueString(resourceGroup().id)}'

var solutionName = 'SecurityInsights(${sentinelWorkspace.name})'

Section 2.3: Azure Bicep Template โ€” Resources

Now, we will define the resources required for our deployment:

resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {

name: workspaceName

location: location

properties: {

sku: {

name: 'PerGB2018'

}

retentionInDays: retentionInDays

}

}

This resource declaration creates a Sentinel workspace with specified properties.

Section 2.4: Analytics Rule Configuration

Next, letโ€™s configure the analytics rule:

resource ruleGuid 'Microsoft.SecurityInsights/alertRules@2021-03-01-preview' = {

scope: sentinelWorkspace

name: ruleName

kind: 'Scheduled'

properties: {

displayName: 'Known IRIDIUM IP'

description: 'Identifies matches across various data feeds for IP IOCs related to the IRIDIUM activity group.'

severity: 'High'

enabled: true

query: 'let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]); ...'

queryFrequency: 'P1D'

queryPeriod: 'P1D'

triggerOperator: 'GreaterThan'

triggerThreshold: 0

suppressionDuration: 'PT5H'

suppressionEnabled: false

tactics: ['CommandAndControl']

incidentConfiguration: {

createIncident: true

groupingConfiguration: {

enabled: false

lookbackDuration: 'PT5H'

}

}

eventGroupingSettings: {

aggregationKind: 'SingleAlert'

}

}

}

Section 2.5: Parameters File Setup

Create a new file named azuredeploy.parameters.json to define the parameters for your deployment:

{

"contentVersion": "1.0.0.0",

"parameters": {

"ruleName": {

"value": "azinsiderRule"

},

"sentinelName": {

"value": "azinsider"

}

}

}

Section 2.6: Deploying the Bicep Template

To deploy your Bicep template, execute the following command:

az deployment group create --resource-group <your-resource-group> --template-file main.bicep --parameters azuredeploy.parameters.json

You can preview the deployment to ensure everything is set up correctly. Once confirmed, execute the deployment command to finalize the setup.

After deployment, you can verify its success through the Azure Portal to ensure that the rule is active within the Sentinel workspace.

For further assistance or contributions, feel free to check out the code for this solution at the provided link.

๐Ÿ‘‰ Join the AzInsider email list here.

-Dave R.

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

The Fast-Track Journey of Technology from Radios to Revolutionary Devices

Discover the astonishing speed of technological evolution, from radios to modern innovations, transforming our daily lives.

Accepting Doubt and Uncertainty: Embrace the Unknown

Explore the importance of accepting doubt and uncertainty in life, and how it can lead to personal growth and understanding.

Rediscovering Nature Through Running: A Personal Journey

A personal reflection on how changing my running habits deepened my connection with nature.

Unlocking KDP Potential: A Comprehensive Guide to Book Bolt

Explore how Book Bolt can empower your KDP journey with tools for low-content book creation.

The Journey to Genuine Confidence: Embracing Life's Ups and Downs

Explore the essence of authentic confidence and how to navigate life's challenges with self-assuredness.

# Reassessing the True Value of Time in Our Lives

Explore the profound significance of time beyond monetary values and its role in shaping a meaningful life.

The Unique Lifestyle of the โ€œWorldโ€™s Oldest Manโ€ and His Wisdom for Longevity

Explore the fascinating life and advice of Li Ching-Yeun, the man who reportedly lived to 256, focusing on herbs and mental well-being.

Revamping My 1990s Artwork with AI: A Surprising Journey

Discover how AI transformed my old drawings from the 90s, leading to unexpected results and amusing insights.